b'  DEPARTMENT OF HOMELAND SECURITY\n      Office of Inspector General\n\n\n                  Letter Report: \n\n\n            DHS Needs to Prioritize Its \n\n                 Cyber Assets\n\n\n\n\n\nOIG-08-31                1           March 2008\n\x0c                                                           Office of Inspector General\n                                                           U.S. Department of Homeland Security\n                                                           Washington, DC 20528\n\n\n\n\n                                      March 26, 2008\n\n\nMEMORANDUM FOR:               Elaine C. Duke\n                              Acting Undersecretary for Management\n\n\nFROM:                         Richard L. Skinner\n                              Inspector General\n\nSUBJECT:                       Letter Report: DHS Needs to Prioritize Its Cyber Assets\n\nWe initiated an audit to determine the Department of Homeland Security\xe2\x80\x99s progress in\nidentifying and prioritizing its internal cyber critical infrastructure in accordance with\nHomeland Security Presidential Directive 7, Critical Infrastructure Identification,\nPrioritization, and Protection. This directive established a national policy for the federal\ngovernment to identify, prioritize, and protect United States critical infrastructure,\nincluding the internal critical assets used by each department.\n\nThe department has not completed all the steps to produce a prioritized inventory of its\ninternal cyber critical infrastructure. Further, the department\xe2\x80\x99s Management Directorate\nwas not coordinating related efforts to secure these assets. We recommend that the\ndepartment designate a specific office to determine protection priorities for its internal\ncyber critical infrastructure. Additionally, the department should develop a process to\ncoordinate internal efforts to protect these assets in accordance with Homeland Security\nPresidential Directive 7.\n\nWe hope our recommendations will be of assistance as you move forward to implement\nactions to protect the department\xe2\x80\x99s internal cyber critical infrastructure and key resources.\nShould you have any questions, please call me, or your staff may contact Frank Deffer,\nAssistant Inspector General, Information Technology, at (202) 254-4100.\n\x0cBackground\n\nHomeland Security Presidential Directive 7 (HSPD-7), Critical Infrastructure\nIdentification, Prioritization, and Protection, December 2003, established a national\npolicy to identify and prioritize critical infrastructures. These critical infrastructures are\nboth physical and cyber-based, and span all sectors of the economy. According to the\nNational Infrastructure Protection Plan (NIPP), June 2006,\n\n        Cyber infrastructure includes electronic information and communications\n        systems, and the information contained in those systems. Computer systems,\n        control systems\xe2\x80\xa6and networks such as the Internet are all part of cyber\n        infrastructure.\n\nFurther, HSPD-7 references the USA Patriot Act of 2001 (Public Law 107-56) to define\nthe term \xe2\x80\x9ccritical infrastructure\xe2\x80\x9d as those:\n\n        \xe2\x80\xa6systems and assets, whether physical or virtual, so vital to\n        the United States that the incapacity or destruction of such systems\n        and assets would have a debilitating impact on security, national\n        economic security, national public health or safety, or any combination\n        of those matters.\n\nThe Department of Homeland Security (DHS) planned to determine protection priorities\nfor its internal cyber critical infrastructure using the Project Matrix methodology. Project\nMatrix is a systematic approach that seeks to discover the domino or cascading effects of\nthe loss of critical functions and services. This is accomplished through an understanding\nof how these functions and services are provided and the impact of the loss should it\noccur. This approach was designed to assist the department in identifying and\nprioritizing critical functions and services performed by DHS in support of national\nsecurity, economic stability, and public safety.\n\nAccording to the ISSM Guide to the DHS Information Security Program, Version 2.0,\nJuly 19, 2004, the DHS Continuity Planning Program Director is responsible for Project\nMatrix and reports to the DHS Chief Information Security Officer (CISO).\n\n\n\n\n                                               2\n\n\x0cDHS Needs To Determine Protection Priorities for its Internal Cyber Critical\nInfrastructure\n\nHSPD-7 established a national policy for federal departments and agencies to identify\nand prioritize their critical cyber infrastructure. In compliance with HSPD-7, DHS uses\nan enterprise management tool, Trusted Agent FISMA, to identify its high-risk systems.\nHowever, DHS has not determined which of these high-risk systems must be given\npriority when allocating protection resources.\n\nFor example, according to DHS 4300A Sensitive Systems Handbook, restoration priorities\nare to be based on DHS mission criticality. DHS plans for restoring critical systems\nfollowing a service disruption or disaster include the establishment of the National Center\nfor Critical Information Processing and Storage (NCCIPS). This center is to host\ndepartmental applications, network connectivity, and critical data storage. Additionally,\nthe NCCIPS and a second data center, yet to be established, are to have \xe2\x80\x9cactive \xe2\x80\x93 active\xe2\x80\x9d\nprocessing capability to ensure each mission critical system has a complete disaster\nrecovery capability. However, the current DHS schedule for migrating systems to the\nNCCIPS is not based on system criticality, but instead is based on which component can\nfund the migration of a system. As a result, DHS may not be providing a secure\nprocessing and backup facility for its most critical systems.\n\nFor prioritization purposes, the most significant assets fall within the nationally critical\ncategory. These nationally critical assets are considered necessary for the daily operation\nof the federal government. Project Matrix is a methodology that would allow DHS to set\nprotection priorities across the department, and thus determine which cyber assets are\nnationally critical. For example, a nationally critical function of DHS is to identify,\nexamine, and inspect all high-risk cargo and passengers. Project Matrix Step 1 lists those\nnationally critical cyber systems, including the Automated Commercial Environment\n(ACE), that support this function. In accordance with HSPD-7, DHS should place a\nhigher protection priority on nationally critical systems, such as ACE, than it places on\nsystems that do not support a nationally critical function.\n\nWithin the department, the CISO has responsibility for Project Matrix. In November\n2003, the DHS CISO obtained Project Matrix contract support at a cost of approximately\n$1.97 million. Step 1 of Project Matrix was to produce a rank ordered list of critical\nfunctions and services. In November 2005, the DHS CISO cancelled the Project Matrix\nsupport contract after obtaining only 15 of 18 (79%) Project Matrix Step 1 reports from\nDHS components.1 Further, in August 2007, the DHS CISO eliminated the section of the\nDHS 4300A Sensitive Systems Handbook that detailed the responsibilities of the Office of\nthe DHS Chief Information Officer, and the DHS CISO related to HSPD-7 and Critical\nInfrastructure Protection.\n\nThe DHS CISO said that he canceled the contract and removed the section from the\nhandbook because Project Matrix was not mentioned as a requirement in HSPD-7.\n\n1\n The Office of Inspector General, Science and Technology Directorate, and the National Cyber Security\nDivision did not submit Project Matrix Step 1 reports.\n\n\n                                                   3\n\n\x0cHowever, when these responsibilities were removed from DHS guidance, no DHS office\nwas given the responsibility to identify and prioritize internal critical infrastructure assets.\n\nAccording to HSPD-7,\n\n        All Federal department and agency heads are responsible for the identification,\n        prioritization, assessment, remediation, and protection of their respective internal\n        critical infrastructure and key resources.\n\nDHS could improve its ability to identify and prioritize its internal cyber critical\ninfrastructure by assigning an office with this responsibility. The absence of this\nassigned responsibility hinders DHS\xe2\x80\x99 ability to ensure that its most critical assets are\nprioritized for protection.\n\nBetter Coordination Needed on DHS HSPD-7 Related Efforts\n\nThe effectiveness of HSPD-7 implementation could be improved if staff from the Office\nof Security and the CIO synchronized their respective efforts to provide prioritized\nprotection for internal cyber critical infrastructure. Specifically, the Office of Security is\nnot adequately coordinating HSPD-7 related activities with the CIO.\n\nIn compliance with HSPD-7, DHS issued the Government Facilities Sector Plan.2\nHowever, CIO staff said that they were unaware that this plan was issued. This occurred\nbecause the Chief Security Officer, as the DHS representative to this government\ncoordinating council, did not distribute the Government Facilities Sector plan to the CIO.\nFurther, Office of Security staff did not invite CIO staff to a planning meeting to discuss\nthe impact that cyber security has on the Government Facilities Sector.\n\nAccording to HSPD-7,\n\n        Federal departments and agencies will identify, prioritize, and coordinate the\n        protection of critical infrastructure and key resources in order to prevent, deter,\n        and mitigate the effects of deliberate efforts to destroy, incapacitate, or exploit\n        them.\n\nIneffective coordination could cause plans for protecting internal cyber critical\ninfrastructure to be incomplete. For example, Office of Security is responsible for\nphysical security of facilities. The physical security provided may need to be reassessed\nif the facility contains DHS internal cyber critical infrastructure.\n\n\n\n\n2\n Government Facilities \xe2\x80\x93 Critical Infrastructure and Key Resources as input to the National Infrastructure\nProtection Plan, May 2007.\n\n\n                                                    4\n\n\x0cRecommendations\n\nWe recommend that the Undersecretary for Management take the following actions for\nactivities related to the management of internal cyber critical infrastructure:\n\n   Recommendation #1: Assign responsibility and provide the necessary resources to\n   determine protection priorities for the Department\xe2\x80\x99s internal cyber critical\n   infrastructure.\n\n   Recommendation #2: Develop a process to coordinate the DHS internal cyber\n   critical infrastructure protection activities among the Line of Business Chiefs.\n\nManagement Comments and OIG Analysis\n\nWe obtained written comments on a draft of the report from the Deputy Undersecretary \n\nfor Management. We have included a copy of the comments in Appendix A. The \n\nDeputy Undersecretary concurred with both recommendations; however, she suggested \n\nthat they should be reworded for clarity. We reviewed the Deputy Undersecretary for \n\nManagement\xe2\x80\x99s suggestions and made changes where appropriate. \n\n\n********************* \n\nWe conducted our audit from August 2007 to March 2008 under the authority of the \n\nInspector General Act of 1978, as amended, and according to generally accepted \n\ngovernment audit standards.\n\n\n\n\n\n                                           5\n\n\x0cAppendix A\nManagement Response\n\n\n\n\n                                                                                (lIIIJe/,Srmln~~.fiJr.Milll<lf;CliMlt\n                                                                                u.s, ll,elJ:lrtmr.nl.of 1I0111e13ui! SteuriC)\'\n                                                                                Washington, DC 20528\n\n\n\n\n                                                                                Hom:eland\n                                                                                Security\n                                              MAR 0 62008\n\n\n         MEMORANDUM FOR:              Frank Deffer\n                                      Assistant Inspector General\n                                      Information Technology Audits\n\n         FROM:                        Elaine C. Duke          9 ()A)--\n                                      Deputy Under Secretar~agement\n\n         SUBJECT:                     Letter Report: DHS Needs to Prioritize Its Cyber Assets\n\n\n         Thank you for your memorandum dated January 31, 2008, regarding Office ofthe Inspector General\n         draft letter report entitled, DHS Needs to Prioritize Its Cyber Assets. Your memorandum noted the\n         following two recommendations:\n\n            \xe2\x80\xa2 "Assign responsibility and provide the necessary resources to determine protection priorities\n              for its internal cyOOr critical infrastructure."\n\n            \xe2\x80\xa2 "Develop aprocess to coordinate the DHS internal cyber criti,cal infrastructure protection\n              activities ofthe Management Directorate offices."\n\n         I agree with both recommendations. However, Isuggest they be worded as follows for clarification:\n\n            \xe2\x80\xa2 "Assign responsibility and provide the necessary resources to determine protection priorities\n              for the Department\'s internal critical infrastructure, including critical cyber infrastructure."\n\n            \xe2\x80\xa2 "Develop aprocess to coordinate the DHS internal critical infrastructure protection activities\n              among the Line ofBusiness Chiefs."\n\n         The ChiefAdministrative Officer is assigned the responsibility to manage the business continuity\n         and mission assurance functions and will have the lead for implementing these recommendations.\n\x0cAppendix B\nMajor Contributors to This Report\n\n\n                   Roger Dressler, Director, Department of Homeland Security,\n                   Information Technology Audits\n\n                   Kevin Burke, Audit Manager, Department of Homeland Security,\n                   Information Technology Audits\n\n                   Matthew Worner, Program Analyst, Department of Homeland\n                   Security, Information Technology Audits\n\n                   Domingo Alvarez, Senior IT Auditor, Department of Homeland\n                   Security, Information Technology Audits\n\n                   Beverly Dale, Senior IT Auditor, Department of Homeland\n                   Security, Information Technology Audits\n\n                   Syrita Morgan, Management and Program Assistant, Department\n                   of Homeland Security, Information Technology Audits\n\n                   Samer El-Hage, Management and Program Assistant, Department\n                   of Homeland Security, Information Technology Audits\n\n                   Tarsha Cary, Referencer\n\n\n\n\n                                       7\n\n\x0cAppendix C\nReport Distribution\n\n\n             Department of Homeland Security\n\n             Secretary\n             Deputy Secretary\n             Chief of Staff\n             Deputy Chief of Staff\n             General Counsel\n             Executive Secretary\n             Under Secretary, Management\n             Assistant Secretary for Policy\n             Assistant Secretary for Public Affairs\n             Assistant Secretary for Legislative Affairs\n             Chief Information Officer\n             Chief Information Security Officer\n             DHS Audit Liaison\n\n             Office of Management and Budget\n\n             Chief, Homeland Security Branch\n             DHS OIG Budget Examiner\n\n             Congress\n\n             Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n                                          8\n\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web\nsite at www.dhs.gov/oig.\n\n\nOIG Hotline\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of\ncriminal or noncriminal misconduct relative to department programs or\noperations:\n\n    \xe2\x80\xa2    Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2    Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2    Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2\t   Write to us at:\n           DHS Office of Inspector General/MAIL STOP 2600, Attention:\n           Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410,\n           Washington, DC 20528.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'